This middleware is added to the stack when `config.force_ssl = true`, and
is passed the options set in `config.ssl_options`. It does three jobs to
enforce secure HTTP requests:

1. TLS redirect: Permanently redirects http:// requests to https://
with the same URL host, path, etc. Enabled by default. Set `config.ssl_options`
to modify the destination URL
(e.g. `redirect: { host: "secure.widgets.com", port: 8080 }`), or set
`redirect: false` to disable this feature.
Cookies will not be flagged as secure for excluded requests.
2. Secure cookies: Sets the `secure` flag on cookies to tell browsers they
mustn't be sent along with http:// requests. Enabled by default. Set
`config.ssl_options` with `secure_cookies: false` to disable this feature.
3. HTTP Strict Transport Security (HSTS): Tells the browser to remember
this site as TLS-only and automatically redirect non-TLS requests.
Enabled by default. Configure `config.ssl_options` with `hsts: false` to disable.

Set `config.ssl_options` with `hsts: { … }` to configure HSTS:

* `expires`: How long, in seconds, these settings will stick. The minimum
required to qualify for browser preload lists is `18.weeks`. Defaults to
`180.days` (recommended).
* `subdomains`: Set to `true` to tell the browser to apply these settings
to all subdomains. This protects your cookies from interception by a
vulnerable site on a subdomain. Defaults to `true`.
* `preload`: Advertise that this site may be included in browsers'
preloaded HSTS lists. HSTS protects your site on every visit *except the
first visit* since it hasn't seen your HSTS header yet. To close this
gap, browser vendors include a baked-in list of HSTS-enabled sites.
Go to https://hstspreload.appspot.com to submit your site for inclusion.
Defaults to `false`.

To turn off HSTS, omitting the header is not enough. Browsers will remember
the original HSTS directive until it expires. Instead, use the header to
tell browsers to expire HSTS immediately. Setting `hsts: false` is a
shortcut for `hsts: { expires: 0 }`.